How to sign an applet (and get it to work)

This worked beautifully for me!!! Thanks!!!

However, I have a follow up question.

I had to change dev machines and need to now continue development on the new box but I can't sign the jar file correctly on the new machine.

I copied my tstcert.crt file to the new machine and tried:

keytool -import -file tstcert.cer -alias tstkey -storepass ****

It successfully imported the cert into the default keystore.

But when I now try to sign the jar I have an error:

jarsigner myjar.jar tstkey

jarsigner: certificate not found for: tstkey

But it seems like it's there:

keytool -list -alias tstkey

tstkey, Tue Oct 02 15:28:04 PDT 2001, trustedCertEntry,

Certificate fingerprint (MD5): A1:62:AD:E7:0A:CD:AE:03:A9:1A:56:FB:B1:47:FC:25

Any ideas?

nlele at 2007-7-1 >

If the jar the applet comes from is signed, the user should see the screen allowing them to grant all permissions to the applet.

If the user 'oks' the applet, all rights are given to the applet. However, if the applet uses classes in more than one jar, all the jars must be signed for all the classes to have full permissions; otherwise, classes in unsigned jars will be will be restricted by the security manager.

Policy files should not be necessary. When all the applet's jars are signed correctly, and the user grants the applet rights to run, the applet will have all permissions granted to it.

ncoleman1 at 2007-7-1 >

Thanks, hope these answers help you...

1) Without using the plug-in, you need to use browser based security. Both Netscape and IE have different ways of granting security rights and have different requirements of certificates. You would need to get different tools from Microsoft and Netscape (similar to the security tools that come with the jdk like keytool) to generate those keys. The plug-in allows the ability to sign an applet that will work in both browsers. The plug-in is the easiest thing to use and guarantees the JVM environment is compatible with sun, but if this app is for an intranet you can probably deal with a few browser specific quirks. Here is a site that explains more about browser specific security:

http://www.suitable.com/Doc_CodeSigning.shtml

2) JDK 1.1 was fundamentally flawed in that it can't distribute certificates. There are a couple of solutions (hacks) around this problem people have come up with.

This link will explain more about how to distribute your 1.1 certificates:

http://www.suitable.com/CodeSigningSignPlug.shtml#top

3) There is no problem using self-signed certificates in an intranet as long as every user on the intranet has there keystore updated with your certificate. (see the url in response 2 for more information)

ncoleman1 at 2007-7-1 >

First of all, sorry for my English (since im spanish...)

I've followed the 10 steps 4 sign an applet for the plug in 1.2

but when I open the HTML locally or from a HTTP server, (IE5.5, W98), the plugin 1.2 loads

and start loading classes, but it pop up this exception:

( Im translating the following from spanish, so it may differ from

english version of plugin :)

>>>Java Module security adv.<<<<

"Its imposible to verify the cert. Code will be used as not signed"

And a exception stack for:

"java.security.cert.CertificateException: Unable to verify the cert. with root CA"

I hope anyone know how can i solve this...

Thanks.

frodoSonOfDrogo at 2007-7-1 >

In the JDK 1.3 plugin, if you get the popup and grant the applet the right to execute it should be running with the equivalent security policy of AllPermissions. That means the applet can do anything it wants including reading and writing to a database or a file...

So my first question would be which plug-in are you using? But, you might be caught on the problem in which every jar your applet uses must be signed with the same signature used to sign your applet. When your applet is granted the right to run, all code signed with the same signature is granted AllPermissions as well. If you load classes from additional jars or from your codebase and they are not signed the same as your applet, they will be limited by the Security Manager.

I would recommend highly to avoid any modification to any policy files because users on the Internet either won't want or won't know how to do the same change to get your applet to work.If all your jars are signed and recognized you shouldn't have any issues.

Good luck...

ncoleman1 at 2007-7-1 >

I just released an appli that helps signing either with DSA or RSA encryption.

You may get it for free at

. windows:

http://www.xlreader.com/download/stl10ea/InstData/Windows/NoVM/istl10ea.exe

. Unix and Linux:

http://www.xlreader.com/download/stl10ea/InstData/Unix/Others/istl10ea.bin

Robert

=====

robert@xlreader.com

XL-Reader Project - Secured online documentation solutions

www.xlreader.com

=====

robdella at 2007-7-1 >

With all the back and forth messages Im a little confused...

I've used the Java Plugin ages ago, but today is there any need for manual, command-line acceptace from a user to run a signed applet?

The above question applies to both scenarios - 'self-signed' as well as 'CA signed'.

I dont want the 'acceptance' of the certificate to be so complex that users dont want to use it.

Thanks.

carlosnf at 2007-7-1 >

hi,

Does the method work for only the machine of which the cetificate was imported, or will ALL the net users on ANY machine will be able to accept/decline this signed applet?

(I'm referring to option 2 of step 10)

if not, is there a way to make an applet signed (with out paying for it) for all the net users?

tanks,

aner

anerjava at 2007-7-1 >

Hi everyone,

I am using the Java Plugin 1.3.1_01. I followed all the 10 steps but I still got the error message, "Unable to verify certificate with ROOT CA" while I have already imported my selfcert to the c:\program files\javasoft\jre\1.3.1_01\lib\security\cacerts. I have been stuck in this problem for a very long time. Please, help me if anyone knows how to solve it. Thanks!

Hugo

hugolam at 2007-7-1 >

Hi all

I have the problem same to Hugo.

I've follow the right step but still can't work.

The error message is still coming out.

I'm wonder the problem is from the version of Java Plug_In. I'll try to make sure it.

Ncoleman, can you tell me the version of SDK and Java Plug_In you use ?

Thanks

Fuzen

fuzen at 2007-7-1 >

I've now signed my applet (I think), but when I run it from IE6.0, I don't get any popups asking me if my applet can run. I have self signed the applet, but it doesn't work properly. Could it be because I cannot use System.getproperty("user.name") even if I've signed my applet, or is there another reson?

martinhrj at 2007-7-1 >

This worked fine for me but I have a follow up question!

I have my self-signed applet with jdk1.2.2. It works fine in a conventional PC but I am trying to get it work in a PDA - iPAQ Compaq H3870 running Pocket PC 2002 and Jeode Virtual Machine 1.9. The applet opens a connection to a remote URL so it must be signed. When I run the applet in the applet viewer I obtain a security exception ...

java/lang/ExceptionInInitializer ...

java.security.AccessControlException

I've just read a lot of posts and messages but find no answer ... only one regarding the java.security file under de lib directory of my PDA ... please could anybody help me ?

Thank you very much,

Alberto.

canayag at 2007-7-1 >

Hello all,

This is an awesome thread! With regards to signed applets:

If I have an applet (A) that is signed, and within it, a custom class loader (extension of URLClassLoader) which loads the classes of applet (B) from a signed jar, I can launch applet (B) with full previllages (i.e. java.security.AllPermissions). As long as my first applet (A) is signed, and the user accepts that, giving applet (B) full access shouldn't be a problem right? I guess I can place more security by checking to see if the signature of applet B is okay, programmatically? I haven't found a way to either:

1. Pass down the current permissions of applet (A) to applet (B).

OR

2. Check the signature of applet (B) programmatically.

Any insight would be much appreciated. Thanks in advance.

tchijiiw at 2007-7-1 >

Hi,

I want to know, after i follow all the steps listed. Do the client side still need to edit the policy stuff in order to grant the permission manually?

Coz after i made the applet with that cert, when i load the html with that applet, it throw some permission exceptions.

so, anyone know why?

Thanks!!

Vincy

vincyshiu at 2007-7-1 >

HELP!!!

I've searched high and low and I know someone has thought of protecting their client's systems from allowing them to grant full permission to signed applets but WITHOUT changing the client's policy file.

Is there a way to have a grant permission box come up when you want to write/read to a specific file and have permissions granted to write/read to that file only? Then if you need to do so again with another file, the grant box comes up again for permissions to do that action?

This way the client/user's machine is protected from FREE roaming to all of their files and they can still grant permission for me to write/read file x or y WITHOUT changing their policy files.

Any clues would be appreciated greatly

leeca1 at 2007-7-1 >

Hi ncoleman,

I have done exactly what you have mentioned.

But still I get a security exception in IE6.0 while

creating a directory through applet.

I have used a .jar file for my applet to work. Do I need to use

.cab file for IE?

Apart from this I have also taken permission in the init() of the

applet.

SO what went wrong?

Thanks,

Sujoy

sujoydc at 2007-7-1 >

I was wondering about that as well, and think I found the other thread, in which the only interesting thing was:

http://bugzilla.mozilla.org/show_bug.cgi?id=109067

The thread was http://forum.java.sun.com/thread.jsp?forum=63&thread=183585

I did what the document said and in my applet where I used to have :

executer = new Thread (AThreadedWorkerApplet.this);

executer.setPriority(Thread.NORM_PRIORITY);

executer.start();

I now have:

AccessController.doPrivileged(new PrivilegedAction() {

public Object run() {

// privileged code goes here

executer = new Thread (AThreadedWorkerApplet.this);

executer.setPriority(Thread.NORM_PRIORITY);

executer.start();

return null;

}

});

so it was a small change indeed (only it won't run without VM anymore, I will fix that in the morning ;-))

Hope this helps. By the way, we use a polling mechanism in our applets, without relying on JSOBject or whatever and the applets run practically verywhere (mac, unix, windows and on IE and netscape when at least liveconnect is supported).

WichmanH at 2007-7-1 >

Dear ncoleman1,

I have trying to handle a MSAccess Database with DSN using an applet.

I have followed you solve, but at the runtime I am getting an error stating "SQLException No suitable Driver Found".

I have tried the same code with a console based program, it does not create any problem, but when I tried it with appletviewer or browser that problem occur.

import java.sql.*;

import java.awt.*;

import java.applet.*;

import java.awt.event.*;

/*

<applet code="test.class" width=200 height=200>

</applet>

**/

public class test extends Applet implements ActionListener

{

Connection con = null;

Statement stmt = null;

ResultSet rs = null;

String str=null;

TextArea ta;

public void init()

{

ta= new TextArea(10,30);

add(ta);

Button b1 = new Button(">>");

add(b1);

b1.addActionListener(this);

ta.setText("Initialization...\n");

}

public void actionPerformed(ActionEvent ae)

{

ta.appendText("Inside actionPerformed\n");

try

{

ta.appendText("Inside try block\n");

Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");

ta.appendText("Class loaded\n");

/********** upto this point it works fine **************/

con=DriverManager.getConnection("jdbc:odbc:dbcon","","");

ta.appendText("Connection created\n");

stmt=con.createStatement();

ta.appendText("Statement created\n");

rs=stmt.executeQuery("select * from student");

ta.appendText("Resultset created\n");

while(rs.next())

{

str=str+rs.getString(1)+" ";

str=str+rs.getString(2)+" "+"\n";

}

ta.appendText(str);

con.close();

stmt.close();

rs.close();

}catch(ClassNotFoundException cnfe){System.out.println("Class Not found "+cnfe.getMessage());}

catch(SQLException sqle){System.out.println("SQL Exception "+sqle.getMessage());}

catch(Exception e){ta.setText(e.getMessage());}

}

}

Please suggest me what should I do

sanjibmail at 2007-7-1 >

Has anyone tried signing for IE,Netscape4.x and

Netscape 6+?

I think IE isnt really a problem; the classes

can simply be packaged in a cab file and other

browsers will ignore them.

I ve tried signing using Netscapes signtool

and Sun s jarsigner, but then neither will work.

Also, I cant import my certificates into Netscape

4 s database and have them recognized as code

signing certificates.

forinti at 2007-7-1 >

> How To Sign a Java Applet

>

> The purpose of this document is to document the steps

> required to sign and use an

> applet using a self-signed cert or CA authorized in

> the JDK 1.3 plugin.

>

> The original 9 steps of this process were posted by

> user irene67 on suns message forum:

> http://forums.java.sun.com/thread.jsp?forum=63&thread

> =132769

>

> --begin irene67's original message --

> These steps describe the creation of a self-signed

> applet. This is useful for testing purposes. For use

> of public reachable applets, there will be needed a

> "real" certificate issued by an authority like

> VeriSign or Thawte. (See step 10 - no user will

> import and trust a self-signed applet from an unkown

> developer).

>

> The applet needs to run in the plugin, as only the

> plugin is platform- and browser-independent. And

> without this indepence, it makes no sense to use

> java...

>

> 1. Create your code for the applet as usual.

> It is not necessary to set any permissions or use

> security managers in

> the code.

>

> 2. Install JDK 1.3

> Path for use of the following commands: [jdk 1.3

> path]\bin\

> (commands are keytool, jar, jarsigner)

> Password for the keystore is *any* password. Only Sun

> knows why...

> perhaps ;-)

>

> 3. Generate key: keytool -genkey -keyalg rsa -alias

> tstkey

> Enter keystore password: *******

> What is your first and last name?

> [Unknown]: Your Name

> What is the name of your organizational unit?

> [Unknown]: YourUnit

> What is the name of your organization?

> [Unknown]: YourOrg

> What is the name of your City or Locality?

> [Unknown]: YourCity

> What is the name of your State or Province?

> [Unknown]: YS

> What is the two-letter country code for this unit?

> [Unknown]: US

> Is CN=Your Name, OU=YourUnit, O=YourOrg, L=YourCity,

> ST=YS, C=US

> correct?

> [no]: yes

>

> (wait...)

>

> Enter key password for tstkey

> (RETURN if same as keystore password):

>

> (press [enter])

>

> 4. Export key: keytool -export -alias tstkey -file

> tstcert.crt

>

> Enter keystore password: *******

> Certificate stored in file tstcert.crt

>

> 5. Create JAR: jar cvf tst.jar tst.class

> Add all classes used in your project by typing the

> classnames in the

> same line.

>

> added manifest

> adding: tst.class(in = 849) (out= 536)(deflated 36%)

>

> 6. Verify JAR: jar tvf tst.jar

>

> Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/

> 68 Thu Jul 27 12:58:28 GMT+02:00 2000

> META-INF/MANIFEST.MF

> 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class

>

> 7. Sign JAR: jarsigner tst.jar tstkey

> Enter Passphrase for keystore: *******

>

> 8. Verifiy Signing: jarsigner -verify -verbose -certs

> tst.jar

>

> 130 Thu Jul 27 13:04:12 GMT+02:00 2000

> META-INF/MANIFEST.MF

> 183 Thu Jul 27 13:04:12 GMT+02:00 2000

> META-INF/TSTKEY.SF

> 920 Thu Jul 27 13:04:12 GMT+02:00 2000

> META-INF/TSTKEY.RSA

> Thu Jul 27 12:58:28 GMT+02:00 2000 META-INF/

> smk 849 Thu Jul 27 12:49:04 GMT+02:00 2000 tst.class

>

> X.509, CN=Your Name, OU=YourUnit, O=YourOrg,

> L=YourCity, ST=YS, C=US

> (tstkey)

>

> s = signature was verified

> m = entry is listed in manifest

> k = at least one certificate was found in keystore

> i = at least one certificate was found in identity

> scope

>

> jar verified.

>

> 9. Create HTML-File for use of the Applet by the Sun

> Plugin 1.3

> (recommended to use HTML Converter Version 1.3)

>

> 10. (Omitted See Below)

>

> --end irene67's original message --

>

> To make the plug-in work for any browser you have two

> options with the JDK 1.3 plugin.

>

> 1) Is to export a cert request using the key tool and

> send it to a CA verification source like verisign.

> When the reponse comes back, import it into the

> keystore overwriting the original cert for the

> generated key.

>

> To export request:

> keytool -certreg -alias tstkey -file tstcert.req

>

> To import response:

> keytool -import -trustcacerts -alias tstkey -file

> careply.crt

>

> An applet signed with a cert that has been verified

> by a CA source will automatically be recognized by

> the plugin.

>

>

> 2) For development or otherwise, you may want to just

> use your self-signed certificate.

> In that case, the JDK 1.3 plugin will recognize all

> certs that have a root cert located in the JDK 1.3

> cacerts keystore.

> This means you can import your test certificate into

> this keystore and have the plugin recognize your jars

> when you sign them.

>

> To import self-signed certificate into the cacerts

> keystore, change directory to where the JDK plugin

> key store is located.

> For JDK 1.3.0_02: C:\Program

> Files\JavaSoft\JRE\1.3.0_02\lib\security

> For JDK 1.3.1: C:\Program

> Files\JavaSoft\JRE\1.3.1\lib\security

>

> Import your self-signed cert into the cacerts

> keystore:

> keytool -import -keystore cacerts -storepass changeit

> -file tstcert.crt

> (the password is literally 'changeit')

>

>

>

>

> Now, regardless of which method you use, the applet

> should be recognized as coming from a signed jar.

> The user can choose to activate it if he / she

> he chooses. If your applet uses classes from

> multiple jars, for example Apache's Xerce's parser,

> you will need to sign those jars as well to allow

> them to execute in the client's brower. Otherwise,

> only the classes coming from the signed jar will work

> with the java.security.AllPermission setting and all

> other classes from unsigned jars will run in the

> sandbox.

>

>

>

> NOTE: Unless otherwise specified by the -keystore

> command in all keytool and jarsigner operations, the

> keystore file used is named '.keystore' in the user's

> home directory.

>

> The first time any keystore is accessed (including

> the default) it will be created and secured with the

> first password given by the user. There is no way to

> figure out the password if you forget it, but you can

> delete the default file and recreate it if necessary.

> For most operations, using the -keystore command is

> s safer to keep from cluttering or messing up your

> default keystore.

>

cint cinderella

cintcinderella at 2007-7-1 >

hi..

i've tried your tips..

but at the 6th step, i cannot signed it

when i entered these lines,

jarsigner MyApplet.jar tstkey

Enter Passphrase for keystore: ******

the message is-->

jarsigner: attempt to rename MyApplet.jar to MyApplet.jar.orig failed

help me..

vatos at 2007-7-1 >